April 2025 Patch Tuesday: What You Need to Know

TL;DR – In Plain English

Microsoft just patched 121 security flaws in Windows. One of them is already being used by cybercriminals. The rest are being reverse engineered as you read this. That means by tomorrow, today’s problems become active threats.

Some patches fix bugs, while others prevent hackers from gaining full control of systems or breaking into servers remotely. Updates touch everything from printing and login security to Office and remote desktop access. If your computers run Windows (they probably do), don’t put this off.

Apply the updates. Then, check that everything still works – especially logins and printers. If you’re a business, assume this is essential maintenance. If you’re an IT leader, this is one to escalate.

CVE Breakdown – In Plain English

This month, Microsoft patched 121 unique vulnerabilities (known as CVEs). Here’s a breakdown of the most significant ones, explained in accessible terms:

Actively Exploited

CVE-2025-29824 – Already being used in the wild. Lets attackers gain SYSTEM-level control by exploiting a flaw in the CLFS driver. If a hacker gets into a machine, this lets them take full control. Critical for ransomware defence.

Remote Code Execution (RCE) – 31 Total

These allow attackers to run their own programs on your systems without permission.

• CVE-2025-27480 & CVE-2025-27482 – Affect Remote Desktop Gateway. Let attackers run code if they can time requests just right. Especially important if RD Gateway is exposed to the internet.

• CVE-2025-27487 – Lets a fake RDP server compromise a connecting device. A risk if your users connect to unfamiliar RDP servers.

• CVE-2025-26663 & CVE-2025-26670 – Exploit LDAP services to execute code. LDAP is used in directory services like Active Directory.

• CVE-2025-27491 – Hyper-V bug. Lets someone in a virtual machine break out and run code on the physical server.

• Multiple Office CVEs – Include flaws in Word, Excel, and Outlook that can execute malicious code if a user opens a rigged file.

Elevation of Privilege – 49 Total

These flaws let users or malware gain higher permissions than they should have.

• CVE-2025-26647 – Kerberos certificate authentication flaw. Starts in audit mode now; enforcement later in 2025. Misconfigured certificates may break logins.

• CVE-2025-27740 – Active Directory Certificate Services flaw. Could allow someone to become domain admin by abusing certificates.

Other EoP bugs were fixed in the kernel, authentication system, printing, file systems, and the shell. Each one represents a way attackers could move from standard user to admin if left unpatched.

Denial of Service, Spoofing, and Info Disclosure – 41 Total

• Includes multiple fixes for potential crash bugs in services like LDAP and KDC Proxy.

• Spoofing fixes mostly protect against tricks to impersonate legitimate users.

• Information Disclosure bugs patch flaws where sensitive data could be leaked.

Glossary

CVE – Common Vulnerabilities and Exposures. A unique ID assigned to each publicly known security flaw.

Zero-Day – A vulnerability being actively exploited before a patch exists.

RCE – Remote Code Execution. A serious flaw that lets attackers run code remotely.

EoP – Elevation of Privilege. When a user or program gains more access than it should.

Kerberos – A secure authentication system used in Windows domains.

PAC – Privilege Attribute Certificate. Part of the Kerberos ticket used to verify what a user can access.

NTAuth Store – A list of trusted certificate authorities in Active Directory.

Hyper-V – Microsoft's virtualisation platform for running virtual machines.

RDP – Remote Desktop Protocol. Used to access Windows desktops remotely.

LDAP – Lightweight Directory Access Protocol. Used by Active Directory to manage users, computers, and permissions.

Active Directory Certificate Services (AD CS) – A Windows Server role that issues digital certificates.